The filter evaluates a request to be secure if request.secure is true.

This logic depends on the trusted proxies configured for Play’s HTTP engine. Internally, play.core.server.common.ForwardedHeaderHandler and play.api.mvc.request.RemoteConnection determine between them whether an incoming request meets the criteria to be “secure”, meaning that the request has gone through HTTPS at some point.

When the filter is enabled, any request that is not secure is redirected.

It is also possible to set play.filters.https.strictTransportSecurity = null to disable HSTS.

Note that the Strict-Transport-Security header tells the browser to prefer HTTPS for all requests to that hostname, so if you enable the filter in dev mode, the header will affect other apps being developed with that hostname (e.g. localhost:9000). If you want to avoid this, either use a different host for each app in development (app1:9000, app2:9000, etc.) or disable HSTS completely in dev mode.

The filter redirects using HTTP code 308, which is a permanent redirect that does not change the HTTP method according to RFC 7238. This will work with the vast majority of browsers, but you can change the redirect code if working with older browsers: